Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Various embodiments are disclosed for increasing Layer-3 LPM (longest prefix match) routing database in a network platform. In some embodiments, chipsets in fabric modules (FMs) can be partitioned into multiple banks. Network traffic can be directed towards a corresponding bank in the FMs by using a LPM table on a line card (LC). Entries in the LPM table on the LC can be programmed either statically or dynamically based upon LPM routes that are dynamically learned.

Abstract: Systems, methods, and non-transitory computer-readable storage media for forwarding tables for virtual networking devices. The system first identifies local virtual machines hosted on a local host connected to the system, the system having virtual tunneling capabilities. The system then generates a forwarding table for the system. Next, the system populates the forwarding table with local entries including bindings for the local virtual machines hosted on the local host and adds a default route in the forwarding table pointing to a default forwarder function, wherein the default route is configured to handle all non-local traffic relative to the system and the local host.

Abstract: Various embodiments are directed to a system and method for establishing a secure communication pathway between a network-connected device and a computing platform. Such configurations encompass encrypting a device-specific installation package passed to the device using a device-generated cryptography key, verifying the identity of the computing platform at the device, encrypting a response message via a platform-generated cryptography key, transmitting the response message to the computing platform, verifying characteristics of the device via the response message, and establishing a secure communication platform upon verification of the device.

Abstract: To determine whether an IoT system connected with a network environment (e.g., the internet) is compromised, a networked Trust as a Service (TaaS) server receives system data indicative of various characteristics of the IoT system, wherein the system data is harvested by a software agent installed on the IoT system. The TaaS server initially establishes a baseline characteristics profile for the IoT system, such that subsequently received system data from the software agent may be compared against the baseline characteristics profile to quickly identify discrepancies between the originally established baseline characteristics profile and current operating characteristics of the system. Such discrepancies may be caused by desirable software updates, in which case the discrepancies may be integrated into the baseline characteristics profile, or the discrepancies may result from the IoT system being undesirably compromised.

Abstract: Providing an objective measure of trust in data provided by an Industrial Internet of Things (IIoT) device and/or a plurality of IIoT devices at a particular location so as to provide an aggregated objective measure of trust in data provided by the particular location.

Abstract: Providing an objective measure of trust in data provided by an Industrial Internet of Things (IIoT) device utilizes an objective trust indicator generated based at least in part on baseline device characteristics and corresponding monitored/observed device characteristics. These device characteristics may comprise device hardware characteristics, device software characteristics, application software characteristics (of software installed on the device), and/or device behavior characteristics. The trust indicator is determined by comparing a match vector indicative of weighted scores for the baseline device characteristics relative to a generated monitored characteristics vector indicative of differences between baseline and monitored device characteristics, and determining a directional difference between the match vector and the monitored characteristics vector.

Abstract: Identity information is decoupled from reachability information in packets transferred between hosts of a computer network by replacing forwarding information within said packets with an identifier having a format of the forwarding information, and applying forwarding labels, derived from the identifiers, which are then used in lieu of the forwarding information for conveying the packets within the network. During such conveyance, the packets are treated according to one or more policies prescribed on a basis of the identifier, which may be an IPv6 address. The forwarding labels may be MPLS labels.

Abstract: An administrator can define or modify one or more service graphs. Next, the administrator can register service appliances along with their device package files with a controller. Then, the controller can establish the capabilities of the service devices, and classify the service devices as legacy or service tag switching (STS) capable devices. Then, the controller can create one or more instances of the service graph, by populating the service nodes into the service graph. Then, the application owner can attach their endpoint groups (EPGs) to the service graphs created by the administrator. Then, a service in the network can be automatically provisioned using the service graph to configure one or more nodes in an associated service chain of the service according to information in the service graph.

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract: Various embodiments are disclosed for increasing Layer-3 LPM (longest prefix match) routing database in a network platform. In some embodiments, chipsets in fabric modules (FMs) can be partitioned into multiple banks. Network traffic can be directed towards a corresponding bank in the FMs by using a LPM table on a line card (LC). Entries in the LPM table on the LC can be programmed either statically or dynamically based upon LPM routes that are dynamically learned.

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and non-transitory computer-readable storage media for forwarding tables for virtual networking devices. The system first identifies local virtual machines hosted on a local host connected to the system, the system having virtual tunneling capabilities. The system then generates a forwarding table for the system. Next, the system populates the forwarding table with local entries including bindings for the local virtual machines hosted on the local host and adds a default route in the forwarding table pointing to a default forwarder function, wherein the default route is configured to handle all non-local traffic relative to the system and the local host.

Abstract: Various embodiments are disclosed for increasing Layer-3 LPM (longest prefix match) routing database in a network platform. In some embodiments, chipsets in fabric modules (FMs) can be partitioned into multiple banks. Network traffic can be directed towards a corresponding bank in the FMs by using a LPM table on a line card (LC). Entries in the LPM table on the LC can be programmed either statically or dynamically based upon LPM routes that are dynamically learned.

Abstract: Systems, methods, and non-transitory computer-readable storage media for forwarding tables for virtual networking devices. The system first identifies local virtual machines hosted on a local host connected to the system, the system having virtual tunneling capabilities. The system then generates a forwarding table for the system. Next, the system populates the forwarding table with local entries including bindings for the local virtual machines hosted on the local host and adds a default route in the forwarding table pointing to a default forwarder function, wherein the default route is configured to handle all non-local traffic relative to the system and the local host.

Abstract: The subject technology addresses a need for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology provides solutions for extending multipathing to tenant multicast traffic in an overlay network, which enables greater bandwidth utilization for multicast traffic. In some aspects, nodes in the overlay network can be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: A system and method for delivering content in real-time using advanced messaging technology that reduces the risk of content being lost or dropped in transmission. The system and method utilize a custom, simplified XML format to deliver real-time textual, numeric, and metadata content directly to subscribers. The XML tag set specifies all of the information needed to package, process, and distribute real-time content messages and includes an advanced tagging structure that allows granular content customization. Messages are built on the fly using multi-channel data processing techniques. The XML delivery system and method offers an array of real-time market-specific page-based “Alert” services and aggregated newswires with accompanying real-time numeric data feeds. These feeds contain proprietary assessments and other price data across a broad spectrum of global and regional commodity markets, including oil, petrochemicals, metals, electric power, natural gas, coal, and risk.

Abstract: The subject technology addresses the need in the art for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology addresses the need in the art for extending multipathing to tenant multicast traffic in an IP overlay network, which enables the network to fully utilize available bandwidth for multicast traffic. In some examples, nodes in the overlay network may be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: An administrator can define or modify one or more service graphs. Next, the administrator can register service appliances along with their device package files with a controller. Then, the controller can establish the capabilities of the service devices, and classify the service devices as legacy or service tag switching (STS) capable devices. Then, the controller can create one or more instances of the service graph, by populating the service nodes into the service graph. Then, the application owner can attach their endpoint groups (EPGs) to the service graphs created by the administrator. Then, a service in the network can be automatically provisioned using the service graph to configure one or more nodes in an associated service chain of the service according to information in the service graph.